Slashdot Mirror
Code Red! All Hands to Battle Stations!
We had thought we were done with Code Red last week, but CERT is sending out warnings that the entire internet will cease to exist if the Code Red MSTD [?] isn't stopped in its tracks. Even Scientific American has a story about it. Cringely tells us that the true threat is servers with mis-set clocks.
would only approach systems that have subscribed to this as a service.
inform the Administrator of the system (through email
some sort of confirmation/activation/deactivation process available to the Administrator
I've got an idea too! How about an "opt in system" where system administrators get emailed a location to where the "patch" is! That way they would:
1) Be informed of the problem.
2) Told where to get the fix
3) Have some sort of confirmation/activation/deactivation process available to the Administrator
Or how about a web page where users could find updates?
Or maybe a site that tracks bugs in software?
And all that without having to have microsoft send out more stupid worms.
My point is that if people don't use the tools already availible, why would the take the time to opt-in to this program?
-- Zack
Eh? You're getting queries for your web server from multicast addresses? Interesting.
--
And you know what? He's right. The fact that 13-year-old kid with "off-the-shelf" script-kiddying tools can cultivate an army of bots and anonymously attack any site he wants is a very large flaw in the world of computing and deserves a lot of attention. Scare tactics, while somewhat repugnant, are effective, and Gibson sometimes uses his powers for good as well as evil.
All the articles I've read about Code Red seem to be carefully avoiding pointing the finger at Microsoft.
A statement like "Microsoft IIS servers run less than 25% of the Web, but the congestion created by the attack could affect all servers" would be accurate, informative, and make it clear that the problem is caused by a minority of systems. It would also make PHBs think twice about implementing IIS.
How do we get this message out to PHBs everywhere?
It is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail. - Abraham Maslow
Don't think that just because you're running a Linux distribution that you're safe from worms. Anybody running portsentry or snort can tell you about how many times per day they get a portscan on their system looking at port 111 (rpc.statd). Linux is not a magic bullet; it takes discipline to keep up with the exploits no matter what operating system you use to connecto to the net.
Hey! No need to be sorry for speaking the truth.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The string & tin-cans currently used on the backbones and trans-atlantic link might be a cool hack, but they are a little short on bandwidth for serious use. It's got to the point where those who built the Internet in the first place have had to jump ship, and start from scratch, just to get the necessary bandwidth.
I -hope- that the failures are major enough that QoS technology is deployed, not just decorated. I -hope- that delays become bad enough that terabit pipes become the norm, not just a pipe-dream. I -hope- that this scares ISPs and corporations into enabling ECN, IPSec and possibly even IPv6.
It is only in times of adversity that technology really changes. We have an adversary, we HAVE to defeat it, and that means we HAVE to change.
IMHO, viruses, trojans, etc, are evil. But in destroying their evil, we have the opportunity to rid ourselves of some of our own.
This probably sounds a sick way of looking at things, but the fact is, we HAVE the means to prevent Code Red. We have, for many years. It's because system admins have always argued that it's not worth dealing with threats -before- they happen, that we're in the situation we're in.
Inertia is mankind's second-greatest enemy. (Jerry Springer narrowly beats it.) Damned is the person who does nothing, because they couldn't do everything. This entire fiasco could well give the impetus needed to overcome that inertia.
On the other hand, I'm inclined to think that everyone'll just panic, but do nothing, and actually be over-run. Needlessly and stupidly. But, then, that's people for you.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Mind you, I collect all sorts of odd things. One time, I was into collecting comms software. I had over 30 for the PC.
Another time, it was MUDs. I had practically every MU* server on the planet. (LP, MudOS, Pernmush, Tinymud, Tinymush, Pennmush, Ubermud*, Tinymuck, Abermud, Circle, LambdaMOO, etc)
*Ubermud was the first truly distributed MUD system. Processes could migrate between the Uber servers freely, provided the necessary database entries existed. It was truly ingenious for it's time, and nothing more recent really compares.
Of course, *Trek games were great for collecting, too. XTrek, Netrek (Bronco, Vanilla, KSU, et al), the briefly-lived Paradise development line, etc.
Compilers and interpreters are cool, too. That's one reason I'm fluent in something like 10 computer languages, and am OK in about 7-8 more.
Of course, collecting has its down-side. You need a LOT of disk space, a LOT of time, and a LOT of bandwidth. The stuff will never be worth the tens of thousands of dollars that stamps, or other "physical" collectables, will fetch in time. And they require active steps to preserve. A teddy bear, if stuffed in a box in the attic, will usually do ok for 40-50 years. Netrek, on a 3.5" floppy, would be lucky to last a tenth of that time. Even if there was still anything that would read it.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Anyone with the naivety to run IIS is, IMHO, automatically suspect when it comes to doing anything technical, such as setting a clock.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Considering the nature of this thing, when it went dormant, probably most people just forgot about it. It doesn't really need to spread again, since it's still out there all over the place.
This is not really all that different from an average virus-- it spreads for a while, activates, causing a lot of damage and panic and such, people panic for a while, it deactivates and spreads some more.
The people who are all worried about it coming back repeatedly should be at most disappointed that it doesn't just kill itself after a month. But there's no reason they should expect it to.
In fact, this is still less of a problem than an old-style virus: it order to stop those, you had to get a clever program to catch and disable this code. With Code Red you merely have to patch or replace IIS and it stops being an issue.
I'm still getting
"Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks"
spam in my mailbox...
This newswire article quotes various people in China claiming that obviously the worm didn't come from there because Chinese servers aren't getting infected, and besides, the worm is just too complicated for an individual to create. The reporter bought it. Had he bothered to do some research, he'd have known that the worm is coded to only infect English (US) language servers, and in all likelyhood it was coded by a (Chinese?) teenager with too much time on his hands.
(Well, okay, it does run on the non-English servers, but it doesn't deface them...)
Perhaps the fact that this guy got modded to 3 with such baseless "logic" is an indication that there are some xenophobic moderators around? Guys, mod this misguided moron down!
My point, had you bothered to think about it, was that the reasons given for why the worm couldn't have originated in China were obviously wrong, and had the reporter been competent enough to do a modest amount of research he'd have seen that.
Sometimes the obvious answer, namely that the worm really was written by a lone cracker in China, really is the right one, no matter how un-politically-correct it is. However, we don't really know, as I indicated with "(Chinese?)". I'm just curious why the reporter's mainland Chinese sources felt it necessary to dispense obvious misinformation. It's probably just a reflex action from a lifetime in one of the more brutal Communist dictatorships.
Great title. If you'll hurry up with that screenplay maybe we can get Robert Urich as the title character and it can be the "Tron" sequel.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Actually MSNBC (the cable channel, haven't looked at the web site) just had someone on explaining this who didn't do too badly considering the audience he was trying to explain it to, and they even put up a graphic showing which *Microsoft* products were vulnerable. They forgot the "We're a joint venture of..." disclaimer, though.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Here's a link to the story of its creation (Mountain Dew) in Knoxville, Tennessee (I'd always heard that it was started in western North Carolina) from an AC's reply to another post of mine.
http://metropulse.com/dir_zine/dir_2000/1039/t_sec ret.html
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Being a Mountain Dew drinker since they had a hillbilly on the bottle, I tried Code Red out of curiosity and don't see how anyone could stand to drink an entire bottle, much less copious quantites of it, and wouldn't trust any work done by anyone who did. It's that bad.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
another story to add to the mounting piles of crap that /. editors have been posting lately.
/.
I have found that by going to other sites I am getting better coverage than
I have been an advocate (and even annoyed that people were complaining about the journalism here) but this is getting ridiculous.
Repeat posts, The Onion like garbage, etc is all getting to me.
Clean up the act boys.
Given that at least four components are necessary for a crack to be effective, removing any one of them will prevent the problem. These components are: malicious code, vulnerable service or device, access to same, lack of fixes or unwillingness to apply available fixes.
Evolution suffers the same type of problems. Hypermutation was recently discovered in components of an immune system and many hands were waved about what this proved. What was not explored was the nature of the mutations. They are almost deliberately allowed to ``go wild'' within very strict bounds, and the result (which would be disastrous outside the immune system) is that a large set of possibly useful responses are produced and tried as antigens in a very short time. However, if any one of a large set of very specific conditions were not met, hypermutation would be lethal. And you can safely bet that any retractions of the previous headlines will be four lines of fine print on page twenty.
So, given that convenience will tend to be chosen over better security (and partly becuase if an administrator goes for a more secure but less convenient solution they may actually suffer a greater security problem by encouraging (for example) undocumented sharing of passwords), a solution such as replacing Windows plus IIS with Linux/*BSD/whatever plus Apache will actually work, and much better than telling users and administrators that they're idiots. They either know that and have to live with it, or don't know it, never will, and will be annoyed every time someone tries to point this out.
ASP2PHP exists, and works, so there's no really sound reasons left for running IIS. It's also (especially in the name of avoiding monoculture) worthwhile checking out alternatives like Zope. The combination of an inherently more reliable service, and automated updates (I know that Debian, Mandrake and RedHat - at least - have these) will remove a vital section from the crackers' stairway to heaven.
Where Mr Gibson does score is in that not everyone needs to be running vulnerable servers to swamp and drown the Internet. Just enough twits to do the job. I'm currently wondering what social effect would drive IIS market penetration up 4% at the very instant this it's been shown to be a public menace. Again. Remember that it's been copping buffer overflows for the best part of a decade now, and doesn't look like stopping.
Got time? Spend some of it coding or testing
...after all, they've given up on Microsoft DNS for themselves, and MSN's outsourced web hosting includes Apache. There's nothing to stop them from telling Apache to lie about who it is, and use something like ChilliSoft for their own web services, and after that it's not such a big step (remember Apache's licencing) to MS-Apache. Then they can explain that they outsourced development in order to be able to focus on .NET, can't they? (-:
Got time? Spend some of it coding or testing
Got time? Spend some of it coding or testing
We should petition Microsoft to Open Source IIS, purely as a matter of self defence.
Got time? Spend some of it coding or testing
I agree about stability of Win2000 - it's a lot better on my laptop, but I still manage to crash it occasionally (most recently when launching Outlook). I don't remember ever managing to crash a Linux or Solaris box.
If these putzadmins can't or won't patch the holes, then a "white hat" virus can use the same holes to apply the patches.
I'm not endorsing it, just making a prediction. (But it does have its elegance.)
--
I can see the fnords!
you dont have to run unix to run apache the win32 port is dreadfully easy and comes with lots of docs
I run it when I want to be quick and dirty on an NT box with the win32 port of perl for CGI so that webfools can get to grips with things rather than screw up my systems
regards
john jones
/.
When NT came out, it was supposed to be based on code stolen from the VMS system, which has truly phenomenal stability - equaled only by a few linux kernels. The advertising, and the legions of MS-shills in userland (who at that time were gunning for OS/2) gleefully proclaimed that NT was stable enough for the enterprise.
I tested NT extensively and found that 3.51 was basically stable enough for user desktops - it crashed about as often as a Macintosh. But the computer press behaved exactly as they do today in regards to W2K - "It's uncrashable! Rock-solid! No more BSOD!" ranted the pundits.
When 4.0 shipped, suddenly the previously "rock solid" NT 3.51 was not a stable platform - you had to upgrade to 4.0 to get the exact same empty promises and gleeful raving. My tests showed no phenomenal improvement, however.
So, perhaps W2K is really stable and wonderful and all that nice warm fuzzy stuff. But, fool me once, shame on you; fool me twice - shame on me. I won't be buying W2K because I have known working alternatives from sources that have not abused my trust.
--Charlie
PS - HP (vendors of the unbelievably horrible HP-UX) were advertising Windows NT using the word uncrashable only a year ago. Just now a quick search on Google turned up numerous instances of this egregiously fraudulent claim... are W2k's promises likely to be any different?
--CTB
Don't you ever read that EULA before you install?
MS (and every other software company) have you agree not to hold them responsible for any loss of any kind (and due to any cause... even negligence). If I were a computer company, I'd have you agree to the same thing.
Now, the question for the lawyers is if the negligence is to the point that they are in breach of their portion of the EULA, which would put the users in a position to demand something in return (service, patches, upgrades, money, bill's head on a platter, etc).
-Chris
...More Powerful than Otto Preminger...
I'm getting irritated on this one, too. My userbase is only just into double figures, but I've had something like 20% of them ask me if they have to do anything to their machines to guard against this. On this scale it's only an irritation - but it's daft.
If they'd only prefixed the bulletins with a simple rider that this only affects website operators (to word it for the users, remember) and that home PCs are fine, this would be better. Users wouldn't be panicking for no good reason, we'd all have a more peaceful world.
Why can't people think harder?
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!
I suspect this is the cure.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
No, he really goes off on the off-clock machines.
As long as even one of these clockless machines remains up and running, Code Red will start over on the first of every month. Forever.
I don't know WHERE he gets that idea. As long as ANY machines still have the work and ANY machines remaine unhardened, we'll still have this problem.
BAD JOURNALIST! NO BISCUIT!
-- IANAEG - I am not an elder god.
I just cracked the advanced *32-bit* encryption scheme used on Microsoft IIS with my hi-tech Pentium processor - even with the logic bug. Boy did it heat up my apartment doing all those calculations - I have the AC on and it's the dead of Winter here in Siberia! I found out this *top secret* information from the source code about what IIS stands for:
No, he's a proponent of promoting Steve Gibson. One year it might be polymorphic viruses are going to kill all our computers, the next Linux is going to kill the internet.
As The register pointed out, if the clock is misset so that it's in infection mode, then it's just going to find that the servers it infects AREN'T in infection mode, so the whole mis-set clock thing is a red herring.
Come on, I wouldn't believe anything Chinese officials say, but I definitely wouldn't believe anything any Worm-author would like me to believe either.
If I were a nerdy Slashdot-reading Worm-writer I would probably think it a good idea to frame the Chinese. And start my infection spree by attacking some Chinese servers first. Next time he'll try Saddam or Milosevic (I heard those stupid Dutch gave him a computer in his cell).
Why the White House? Simply because it makes for a more visible target, publicity is what these guys are after.
Of course it could be the (a?) Chinese, but it could be anyone else on the planet with the necessary skills.
Regards,
Xenna
Disclaimer: The fact that I have a Chinese girlfriend does not influence my opninion in the least. And, no, it wasn't me.
--
I also know that RedHat was criticized for having Apache and several other services running as the default behavior. So the later versions (7.x) don't default as web servers, and the users need to configure them to get them started.
I also believe that this is true for the other distros. Now with XP coming with sockets, I can just imagine the new impact that will have.
Steven Rostedt
Steven Rostedt
-- Nevermind
OTOH, almost every Unix box on the net has Perl these days, so, except for some bootstrapping code, it could be network independant. Also, compilers (and cross-compilers) are more prevalent.
Become a FSF associate member before the low #s are used
"Why don't you try writing a virus or worm that knows enough about each of the various *nix OSes, and the versions of Apache they are running, to infect them all. "
s/Apache/Sendmail and Robert T. Morris did it over 10 years ago.
Become a FSF associate member before the low #s are used
You know it and I know it, and I am certain that most people here on /. know it, too.
I tend to wonder if these "viruses" we have been seeing are merely "shots across the bow", so to speak. I mean - why hasn't a virus as you described come out yet?
Most of the source code to these viruses is available for free, if you know where to search.
It is obvious that MS products are buggy, full of holes to exploit, and rarely patched - not to mention that users of the systems tend to be lazy and ingnorant about security precautions - constantly clicking to see the next naked Brittany Spears image - so why haven't we seen true chaos yet?
Worldcom - Generation Duh!
Reason is the Path to God - Anon
Actually, I probably am good enough to do this under Windows - but I hate M$'s business practices, and their software is shit.
I am a Linux "convert" - I run SuSE Linux 7.2 at home, currently learning Perl. At work I do VB and Java coding. I have seen the code of the ILoveYou virus - it is dead simple. I am certain these other "viruses" are similar in scope. I am aware of various virus coding sites, and I keep up from time to time on the "underground" - side hobby of mine.
I could probably patch together such a "virus" as described, and even release it without leaving behind a "trail". The only thing keeping me from doing anything like this is that I know ultimately it wouldn't benefit anybody, not even myself - and would be unlikely to affect Microsoft, either. All it would cause would be anger, lost time, and money. So why do it? Of course, all of these other viruses out there do the same thing - so someone either is really fucked up in the head, or there must be some kind of motive.
Boggles me...
Worldcom - Generation Duh!
Reason is the Path to God - Anon
When the Morris worm hit, around 10 years ago (IIRC), it was on all the major newscasts, and on the front page of many papers.
Best Slashdot Co
With any luck, this will just wipe Microsoft servers off the map. Check back next month to see Apache hit >70% on the Web Server Survey.
When people make statements like this;
The government relies on Microsoft and other technology companies to secure everything from defence networks to financial systems.
and then call this worm,
the largest ever dangers to the Internet.
and then go on to state
Code Red exploits a flaw discovered in June in Microsoft's Internet Information Services software used on Internet servers. It is found in Windows' NT and 2000 operating systems.
When are people going to put the pieces together and start holding the people that choose Microsoft and maybe even Microsoft responsible for these things?
Of course this is only a pipe dream. There are too many people out there willing to believe Microsofts propoganda.
Maybe you should check out the figures at Netcraft's Survey. Apache runs on over 63% of the web servers out there and MS IIS is only on 20%. I would bet that most of those Apache servers are running BSD, Linux or Solaris. The only reason that Microsoft has such a large share is that it takes a few Windows servers to do the work of one Linux server, so companies deploy more of them for their websites. Look at Microsoft's own attempts
[EDITOR] "Cringely, you useless fuckhead! Its deadline! Just make something up, 90% of your readership is so clueless, they won't know the difference. Ignore the 10% who have a clue, they won't bother reading our site for much longer."
... cringely.com in an instant.
:-)
Although he mostly misses the point, especially about how any single unpatched server will somehow relaunch CodeRed every month, I'll agree that port 25 probes are on the increase here. But as more and more machines are patched, the problems and reinfections from this particular worm will eventually become lost in the noise. I am looking forward to new, better written nasty IIS worms over the next few months.
It can be retargetted from whitehouse.gov to
Thanks for the idea. Now, which bit is it that makes CodeRed attack forever? And which bits to change the target?
the AC
[too much karma interferes with your tantric energy, time to troll]
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
(Use the Preview Button! Check those URLs! Don't forget the http://!)
/. on another screen.]
Doh! Port 80. Self-LART applied.
[obPitifulExcuse: was working on sendmail/procmail/qmail/postfix/dns interaction on one screen, watching port 80 probe counts coming in on another screen, and reading
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Shut down the internet?
No more X-10 popup ads!
No more AOL kiddies!
This just might be the Internet Clean Up day we have been needing for a while.
Patrick,
:)
:)
I *really* appreciate your recognition of my post. Unfortunately, my thoughts were discredited yesterday when I first got the ISS alert stating that several security firms have tried the clock-forwarding test, and they were *never* able to get the worm to reawaken. I guess I didn't deserve the "5; Insightful" after all
I never did think that it could be rereleased tonight at 8ET to get started again, but even with the 2,000 hosts with the misconfigured clocks still trying to spread the worm, the first few hours won't be as devastating as the image I painted -- a hundred thousand hosts or more kicking it into high gear all within a few minutes of each other.
I'm excited, so I'll be up late tonight to see how it's going. Thanks again for the recognition. Most appreciated!
--
Steve Jackson
Intelligent Life on Earth
Besides, don't think of it as a virus, but rather "natural selection" in the digital world :)
"And now you shall learn the secret of boot to the head"
i am really looking forward to midnight uct tonight -- it's a code red party!
we'll have all our packet sniffers running full tilt and plan to laugh and laugh at all the losers running iis! die! die! die!
nobody
parturiunt montes, nascetur ridiculus mus
The government has turned down the prospects of creating a counter-worm, but any decently-experienced assembly programmer with sockets experience could just disassemble the current worm, make a number of changes, and release the worm on a time-skewed box. A really crafty assembly programmer could even keep the binary size of the worm the same, so in case the worm has some self-check mechanism, it won't notice any difference. I personally wouldn't mind seeing this fire fought with fire - Let the anti-worm run its course for a month, and then have it destroy itself. That would wipe out the vast majority of the code-red virus.
It is a really rash and dangerous tactic, but considering the scenario that a number of people are expecting from this worm, are there really any other effective options?
.... um, i lost you after "0110100001101001".
"Old man yells at systemd"
Was that one of those pop-up messages that was interspersed with all of the licensing legal-ease pop-up messages?
Say no to software patents.
Hey, even after the dot-bomb crash of 2000, the software engineer's job market is still roaring. Just look around, I'm certain there are enough Linux-friendly employers in your area too.
This kills me -- install Redhat, choose the custom option, then DE-select "Web Server."
Run through the rest of the install, and... tada, apache was installed anyway.
The only reason that Microsoft gets away with this is the technical ignorance of the news media.
The only good weather is bad weather.
That's the sort of damned pedantry up with which I will not put.
(STR)
--
These 2,000 IIS servers are ones with broken clocks. They have no idea what the date is, so they are still in infection mode. The only good news here is that these machines never know to turn from infection to attack, either.
If the clocks are set wrong and the machines are currently in infection mode, the machines will switch to attack mode when the clock says to. Does he really think you can have a computer with a "broken clock" that literally means it doesn't increment time within at least a few percent of the correct rate?
Modify the Code Red code to install the IIS security patch and reboot the system...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Can't the backbones do some routing thing and reroute traffic to the targetted address to /dev/null (Or better yet, someplace in China?) You can do a lot of cool stuff as a backbone provider. I remember one time when an MCI engineer accidentally routed all their traffic through one router in Mexico...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Michael, how on earth can you justify linking the phrase (the entire internet will) "cease to exist" to the article Washington sounds alarm over "Code Red" worm virus, when the article itself says or implies no such thing?
You might as well link the phrase "alien attack imminent" or "Elvis seen in Redmond" - it has as much to do with the story as your title suggested. Of course, most people won't read the story, they'll just remember the catchy phrase that "the internet might cease to exist" - how exciting! - and that they read it first on slashdot.
Code Red is a pretty serious situation as it stands; we don't need to mislead people while we talk about it.
TomatoMan
-- http://frobnosticate.com
Did you read the article, or just get offended that UNIX and NT were mentioned in the same sentence?
Maybe you should read it before you get huffy. It contains generic steps for establishing and reviewing security policies, and then a methodical approach to recovering control. They add this useful link to all of their security advisories dealing with topics relating to the possibility of system compromises.
TomatoMan
-- http://frobnosticate.com
--
Free Mac Mini
All these news agencies rave about the more effective variants out there. Does anyone actually know whats been changed other than the random number gen?
I think you can be infected even with index server not running. The .DLLs are still used by IIS. At least I think thats what I read somewhere.\ =\=\=\=\=\=\
=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=
Judging from the apparent lack of action by IIS sysadmins on this campus (or perhaps they're just procrastinating) I'd suggest a significant percentage of machines are still unpatched.
So my guess is the curve will start faster this time, but reach a lower peak (because surely somebody has to have applied the patch).
Shut up, be happy. The conveniences you demanded are now mandatory. -- Jello Biafra
The reason why MS can't be held responsible is that manufacturers are not responsible for deliberate illegal misuse of their products.
Ford and Firestone got into trouble because people attempting emergency maneuvers, or just driving on a hot day, could have a tire blow leading to a rollover. They wouldn't have been in trouble if the failures only occurred when a crook deliberately targeted the tires with a gun.
Manufacturers are not legally responsible for making their products "bullet proof" - unless they specifically contractually agree to do so. It's the criminal himself who is liable.
This, by the way is also true for firearms, which is why you can't generally sue a gun manufacturer when someone murders a family member with their product. Only if they knowingly sold the product to someone who was likely to commit a crime (a felon or violent paranoic) do you have a prayer of a chance against them in American courts.
Other than that, quite an interesting article ;)... I wonder who they'll have write the "more in-depth" article referenced at the bottom of the article. Speaking of which... quick poll.. how many of y'all read that far to see that section? ;) (yes, the only way I got this so fast is by reading the article yesterday... if you subscribe to happyhacker@yahoogroups.com, you got this yesterday).
-- Is "Sig" copyrighted by www.sig.com?
No, it's because you go after the biggest share of the pie. Ramen.worm I think was the most recent example of Linux being just as vulnerable to this sort of thing.
Vintage computer games and RPG books available. Email me if you're interested.
Vintage computer games and RPG books available. Email me if you're interested.
The exploit, and the patch, affect Indexing Service. Most sites aren't actually using Indexing Service. Hence, no reboot required.
Vintage computer games and RPG books available. Email me if you're interested.
When you are administering a critical production server, you don't make ANY change to the system without a good reason, and if you do you damn well make sure you test the patch on non-critical systems first.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
-
First it has a propagation period in which it spreads using 199 threads (we got improve on the code red thing some way).
-
Next phase starts at a synchronized moment (using some web available Atomic Clock) and reboots Windows.
Ideally all Windows machines with unpatched IIS in the whole world would be down for a couple of minutes - that should flush the little bugger..."I don't want to flame you here (you did say you are not a security expert), but usually worms are not just simple scripts (nor even non-word viruses); on unix-systems they may (and have) been scripts to be more portable, but there isn't anything simple in them either. As to email being required... for decades (since first worms were created, early 80s?) worms have been able to use other network connections than email. That's the case with CR; variety is good for viruses and worms. Spreading using attachments is easy (some might say lame...) way to spread, but bit too obvious. Easy to implement, though, which is why it has been a popular approach. " Thanks for not flaming me, it's appreciated. I expressed myself badly - I didn't mean they were simple to code. What I ment was that once people see things like ILOVEYOU or Melissa in action, it's fairly simple to devise countermeasures and alert people what to watch for. What I'm afraid of is something that isn't so easy to watch for or warn people to be on the lookout for. Despite the obviousness of the attachment viri and the repeated warnings, a lot of damage was done. My school had to shut down email for a while during a couple of the outbreaks. Something more subtle yet just as universal would be scary. "I guess I just disagree with doomsday prophecies like this. Even though I don't want to appear like a MS-bashing zealot, I must say that Microsoft is now paying for putting security related issues on rather low priority for years. There's a lot that have been done by other companies and organizations (Java-security model by Sun, xBSD code inspections to build reasonably secure server OSes, etc. etc); Microsoft just didn't think potential risks were big enough. They have been proven wrong... and hopefully have started paying more attention." I didn't really mean to sound like a doomsday prophet - I don't actually think what I described will come to pass. What I am saying is that there appears to be no fundamental reason it can't happen, if some nut takes the time and effort. That means we have to think more carefully about how we impliment the next generations of network and computer technology. We don't even want a remote chance for something like this to exist. Sort of like nuclear bombs - I don't think anyone would actually launch one, but you still want to make sure you can respond if they do. As for Microsoft, I'm quite sure they are going to pay more attention, but at this point I'm not sure what they are going to do about it. There are already so many computers out there that have to be fixed and maintained, fixing their new stuff won't do a whole lot for quite a while. People use what works, and whatever it's faults Windows 95/98/Me does work for a lot of people. So they will be reluctant to fix bugs, because there is always the chance that it will break something. Also, Microsoft only keeps selling new version of their OS by adding more features. That is often at odds with security, but they need to make money. It's a problem.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
Which sez "Repent, the Internet Will Collapse in 8(crossed out) 7 Days". So, CodeRed is the Internet's crisis dujour. Has anyone noticed that the Net seems beat the odds makers every time? Meanwhile, the SciAM article is unreal. Talk about paranoic speculation and exagaration. "The only remedy is total isolation". C'mon. It's the same as always, don't use outlook, and don't open unknown attachments. And, don't use windows unless you have no better choice. In terms of net traffic, yeah, that's a bummer, but hardly a show stopper. The Internet will be bogged down as thing waxes, but it'll go away. There is one point the SciAM article makes that is worth paying attention to: the need to get ready for the next one. So far, no one has written a worm designed to launch denial of service attacks against backbone routers. This type of attack could be very dangerous. However, it would require a lot knowledge about the current architecture of the Internet, and a good understanding of the TCP/IP protocols. Luckily most of the script kiddies out there haven't read David Comer's series on TCP/IP, but it's only a matter of time before we get someone knowledgeable and malicous.
This cracks me up!
The BBC had their ActionMan Nick Bryant on the scene at the RipTech Computer Center in Washington with a camera crew and a live saterlite link up. They are T+ 4 hours, and the conversation goes a bit like this:
Nick: Well, computer expert, whats happning?
Expert: Well, actually, nothing.
Nick: Do you think it's over-hyped by the media
Expery: Um, well... Yes...
Check the article or the RealVideo
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
At least they had the balls to mention the evil M$ empire and their flaky server/services. ABC was a gelded wonder this morning and didn't mention any of the following words in their "the sky is falling because of the Code Red worm" hysteria:
- Microsoft
- Internet Information Server (IIS)
- Windows NT
- Windows 2000
Any layperson who was hearing about this issue for the first time would think that there was something malicious out there just disrupting the Internet in general, but they wouldn't have a clue about how, or why. And listening to spoo-brained dullards muse about who was responsible or where the worm came from was a joke.What really made me want to shift into Nordic Stormgod Mode and beat the assholes within inches of their ignorant lives was the line
- "Just reboot the machine and the worm will go away."
I watch both the "Free" as in "through the air" and "Pay" as in "Holy crap they raised my cable bill again!? Damn Icehole sucking bastiges!" news services, and the lies of ommision coming from the free side are shameful.And what really sucked was listening to the newsreader/MC lie repeatedly about how he broke his wrist (hey, that isn't news!).
It all just goes to prove that it's not about news, it's about entertainment...and dodging the pit of lawyers large corporations have while giving Joe Public his morning brainwashing. Ahhh...lemony freshness.
Personally, I think the worm was the right thing to do. It exposed a closed-software tendency to create backdoors into a long-duration service which would permit government/M$/and anyone who knew about the weakness to exploit it.
Sysadmins are supposed to be smart people. What M$ has done is screw a couple hundred, maybe even tens of thousands of them. What I'm waiting for is an even bigger backlash at the Sysadmin level, where the words,
- "We're not going to deploy on Internet Information Server because it has no security and there's no accountability for it from the vendor."
will be commonplace and more and more server farms will silently shift to *nix and Apache, and all those M$ developer subscriptions (useless firehoses of CD's and nifty binders to hold them) will silently wither away, and M$ zelots will not have their marketing mail answered and will endure mono-syllabic responses to their phone calls from smart people who have a right to be royally pissed. If there's no accountability, then why bother with a pay-to-play solution?I look forward to the day when M$ server products are reviled for the exploits they are. Sure it may take a while, but somewhere out there right now several clever people are enjoying themselves, having made at least a partially successful run with this last worm, and will probably have the code for an inline resolver to use with the next worm.
Every new form of media has it's own Requirimento
But I could be wrong. Hell, I remember the last time that happened. I believe it was a Thursday...
Carousel is a lie!
I think that Bush should just sign an executive order making it legal to take out any machine trying to infect you with CodeRed, on the grounds that it's self-defense (of other innocent standers-by, obviously). Just like if I see a rapist attacking a lady at the bus-stop, I can probably legally kill him. We should be able to do the same thing re: CodeRed.
It wouldn't last too long, in that case.
The 'How to secure IIS' checklists and docs that Microsoft puts out all list several aspects of IIS that should be shut off; sample apps, admin pages, stuff that makes sense on an Intranet but not on the Internet.
True, but it's still irresponsible for Microsoft to ship a webserver (or any 'Internet' software) that come out of box with an inherently insecure configuration. Given the rate of IIS bugs that affect non-core components, Code Red is just the beginning of the iceberg until admins figure out how to turn this stuff off.
When I hear the word 'innovation', I reach for my pistol.
What really made me want to shift into Nordic Stormgod Mode and beat the assholes within inches of their ignorant lives was the line "Just reboot the machine and the worm will go away."
Well, the worst thing about all of this hype is that it's not being directed towards fixing the root problem -- the fact that IIS ships with WAY WAY too much stuff turned on by default.
My guess is that 99% of the people infected by Code Red didn't need Index Server running in the first place. So, they'll patch (or worse, reboot) and go on their merry way. Until the next bi-monthly (not much of an exaggeration) Index Server bug is found in which case they are screwed again.
Repeat for FrontPage, Internet Printing, Remote Data, and all of the other mostly unused crap that out-of-box IIS has. The correct security advice should be:
1) Turn all of this stuff off if you aren't using it. (And if you can't figure out how, turn the web server off and get the hell away from it.)
2) Patch only if you need the affected software.
When I hear the word 'innovation', I reach for my pistol.
IP telephony doesn't need the internet - just an IP network.
Carriers build their own IP networks so they can control / monitor traffic and guarantee QoS.
---
Yes, you are correct.
And let us not forget those fly-by-night operations that use the internet to lob calls overseas for cheap rates meanwhile escaping regulation as a telephone carrier.
---
According to the Yahoo story, Code Red was named after a soft drink prefered by programmers...
Excuse me? The Code Red drink hasn't been around long enough to be prefered by programmers... don't you think it's far more likely to say that 'Code Red' was chosen simply to make people think it's more dangeous than it really is?
They also blame the thing on the Chinese... sure, if a virus made to doS the White House puts text saying 'Hacked By Chinese' on your screen, you're going to believe it? Just like all those guys on Counter-Strike servers a few months ago talking about Wang Wei were really Chinese, too...
Journalists are so -gullible- when they're trying trying to start a panic...
And lead us not unto insecure NT boxes. For it here in the fertile ground of evil that thy demon seed takes root. We, the Children of Linux, ask only that you keep our Linux safe and secure. And that you limit thy wrath to the unfaithful heathens of NT. Amen, brethren.
Frylock: That's not a toy!
Master Shake: You say that about everything you own. You should own toys. They're fun.
In my opinion, someone should force MS to take responability for issuing a product recall...just like in any other industry.
What do you think a security advisory and a patch is?
--
Sometimes it's best to just let stupid people be stupid.
Except that last time, (as I understand it) the infection window was relatively short before it kicked over into attack mode. Also, due to the Cisco problem, the infection time is a bit of a DoS attack itself.
I don't expect doom and gloom (especially with the page defacement and probes making it easier to identify compromised hosts), but I do expect it to be at least a little different from last time.
"The Internet has become indispensable to our national security and economic well-being," said Ron Dick, head of the National Infrastructure Protection Centre, an arm of the FBI. "Worms like Code Red pose a distinct threat to the Internet."
You think things are bad for hackers now, wait until all the clueless masses start seeing the Internet as a battlefield - you only have to say 'National Security' in America to get the public inspired to goto war, whatever the cost... god help us.
"hacked by Chinese" oh brother - might as well say "hacked by the godless communist hordes out to destroy the american way of life and enslave you! Defend America from the Red Menace!"
What laws will the Plutocrats pass now in order to defend the Internet from life outside their precious economy. I am personally not that alarmed with trojans or worms. The world can live without the internet - our desire to have zero random variations in all things (our lawns, our parks, our workplaces the internet), removing all acts of fancy/folly and chaos (in a good sense) has shaded our eyes from the important goals. So what if the Internet shuts down for a few days?
Frankly, the world needs a little random excitement... Much in life is arbitrary, a game if you will, lets not get to serious about all this, try and think about this in a more situationist manner.
Not that it makes much difference, but there are two Robert X. Cringley people in the world. Cram (no, I'm not going to use his real name) wrote the column for InfoWorld for years, then broke away from IW and IDG and took the name to new heights.
Meanwhile, back at InfoWorld, another member of the staff has picked up the monikor and writes it.
That doesn't invalidate your statement, though, that his infamy is due more to who he knows than what he knows -- but the PBS Cringe does know quite a bit on his own. (I used to work with him.)
Remember the next time you hear about a virus and see a vendor offering a free fixit, that the link to download that fixit is on the same page with an ad for their virus protection. No free deed is done without some small ulterior motive on the net or anywhere else.
In the case of the worm, every time MS offers a patch, you're deeper in their hooks, when you should instead be finally fed up and refuse to operate with such irresponsibly assembled solutions. Only when you've pushed MS to produce something that can be thought of as secure, or gone over to Apache will you be out of the Code Red cycle. No Apache is not free of holes, but when they appear I see a much stronger effort in that group to hunting it down and telling everyone that they had better upgrade NOW.
Yes, it might not be a simple thing to have to go and recompile Apache vs downloading the next patch and rebooting, but think about what you buy for that convenience. Just because something is cheaper doesn't make it better, and I'm not just talking about $$$.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
You must understand that there is no internet. This is a zen thing, so stick with me. To help you understand this, you need to meditate very deeply and free your mind of all you know. Sometimes to achieve this state, it helps to imagine yourself in an empty room. The room is painted pure white. The walls are white, the ceiling is white, the floor is white. There are no visible light fixtures, but the room is incredibly bright. There are no Windows.
*rimshot*
--
And of course we all know what this means. Unreal Tournament will be practically unplayable over dsl.
--
For all those Slashdotters who don't have access to webserver logs and therefore can't see the Code Red worm searching for victim hosts, check out this dynamically created view of my log file. For legibility, a reverse lookup is done on the incoming visitors.
The party should start shortly after 8:PM Eastern time tonight.
Fire and Meat. Yummy.
Nothing terrible will happen.
The Internet will die
Cowboy Neal will die
Please note that I said think not wish
Can't he just die, do we really have to read another one of his 4 day late analysis'.
Someday, they might nickname this catastrophe, " Y2K-2! "
Donate background CPU time to fight cancer.
I would love to see hailstorm and .net fail. I also miss the days of CompuServe and dialing bbs's. I find receiving any information that I need on the Internet difficult. It's cluttered and way too big. The search engines only look for words and key phrases and not content. The reason AOL is so popular is that everything is organized. Sure its slow and unreliable but the productivity is incredible. With the web you have to search and know where to look.
Anyway, I highly doubt this will happen. The backbone may become saturated but UUNet definitely can deal with this. Even if the Internet pauses or even goes down, you can always reboot the routers. After the Internet connection is idle for a certain period of time the NT servers will assume its down and stop sending packets out on the web.
http://saveie6.com/
No, let's make that, "When are people going to get the hint that, despite the conveniences, relying on one entity for the managemente of data or other assets is not good for anyone."
-- Geof F. Morris
In my opinion, someone should force MS to take responability for issuing a product recall...just like in any other industry. That means they much contact their dealers and their dealers must contact their customers and get it patched. Obviously this is serious enough to warrant that kind of attention and MS can surely afford it.
If your aim is really to stop this worm, and not to "punish Microsoft," then you're way off base.
How exactly would Microsoft be able to contact the sysadmins? They don't have everyone's number. (They don't have ours, and we run servers with NT4 and IIS4 at work.)
Instead, Microsoft has issued not only the original patch to their security alert list (which every real sysadmin is already subscribed to), but also another warning yesterday about the problem and how severe it is. They've also placed notices on their websites.
This is far more effective, and will reach far more sysadmin people, than trying to call all the companies that have registered NT/2000.
"And like that
So then why can't MS contact the VARs who sold/installed NT/2000 server and have them run through their customer list and advise them of this recall in the same fashion? Really, the only systems at risk should be the ones that are pirated.
Are you kidding? Yeah, pirated systems and every IIS system in use by a small business who does not buy "from a dealer." We bought our copies from places like Fry's. They don't know we have the software. How exactly would we be notified?
At every company I have worked at, there is no one single person responsible for "all things NT" and so as a result, it is very difficult to make sure that everyone is on top of the latest update and that it is pushed down to all the servers without interrupting production systems.
This is exactly why the current system is the best. The person that is in charge of keeping the NT systems secured would be on the Microsoft security alert list. That is the best way to reach the correct person.
The main problem is with people who don't have anyone maintaining their security. Chances are, though, that they too did not buy from a software dealer, but instead, from a regular software store.
Now, if some IT manager got a call warning them that their servers were vulnerable, he or she would issue the order and it would get done.
Where do you draw the line, then? Should Microsoft have to do these calls for EVERY patch or potential security problem that is found in Windows? What about if this flaw infected all versions of Windows, with or without IIS installed. Would it be plausible to call every person in the world that owns Windows, and let them know to patch their machine?
They are doing all that can reasonably be done on this one. Realize that 75% of all people have averate to below-average intelect. Worms take advantage of this fact.
"And like that
I wonder why?
I cannot [nor do I possess the patience to] count the number of desktop users who have demanded that I install the patch on their machines before it "hax0rz the white house gibson" and gets them put in jail. They seem more worried that the virus will drown the Net and cause their multiplayer game of Hearts to be interrupted.
Thankfully our Content-O-Matic server is in the clear. No one writes decent viruses for the DRDOS Http Daemon anymore. A shame, really.
Now after they've finished, there will be nothing left!
What an accolade! :o)
--
Avantslash - View Slashdot cleanly on your mobile phone.
In a not-so-unprecidented show of FUD, the government is finally getting the the boogey man they so desparately need in order to swing public opinion toward the side of deepening regulation of the internet.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
If there are so many web masters out there who refuse to protect themselves, perhaps someone knowledgeable could take it upon themselves to write a worm which installs the patch to close this security hole.
Volunteers?
What do you mean they cut the power? How can they cut the power, man? They're animals!
I was talking to someone today, and they mentioned that one their web servers (IIS) was hax0r3d and defaced, to which I replied, "I hope the sys admin looses their job for that". The guy was astonished and actually asked why! Good Lord, has it really come to that? He thought it was ridiculous to fire someone over a hack, cause "that kind of thing can't be stopped". Is it really that hard to install publically available patches? Is it really that much of a pain to keep up with security bullitens?
The Navy (or Airforce?) actually turned off their servers to avoid this! If the sys-admins of our armed forces are so fucking stupid as to NOT apply patches immediatly, is there any hope?
Burn Hollywood Burn
Let me recount two very important facts before everyone starts jumping all over Microsoft.
1) If you had followed the security checklist for IIS 4/5, you would not be vulnerable. The checklist instructs you to go over the server mappings and remove any that are unnecessary, including the one for Index Server.
2) If you were on the Microsoft Product Security Bulletin mailing list, you would have gotten a notice back in early June about this, downloaded the patch, and installed it. Thus, you would not be vulnerable.
This is not a case of Microsoft shipping something insecure by default (although such a case can be made for other issues in the past). This is a case of the most common programming mistake made by C++ programmers the world over: a buffer overflow. Buffer overflows have been found in every single OS currently in use, which includes Linux and *BSD. Some have even been root exploits.
Please... go to http://www.microsoft.com/technet/security/
There are a number of checklists, tools, and downloads that can be used to harden any IIS webserver to the point that it is virtually uncrackable. Of course I must add the virtual part, because there is ALWAYS a chance that ANY system connected to ANY network can be compromised. There is no such thing as 100% security; we can only get really close.
I now return you to your regularly scheduled zealotry.
-- russ
Natural != (nontoxic || beneficial)
I love the smell of Karma in the morning
And what would you suggest happen if someone installed a stock (say) RedHat box that (say) had telnet open, and someone worked their way in there and brought it down ? Would you hold RedHat liable ? What about if there was some bug in the kernel which brought down some number of machines - would you hold Linus Torvalds liable, and should he be responsible for contacting all Linux users for a 'recall'? If not, why not ? Who do you think we should hold liable for the sendmail worm of yore ? When you install an OS you accept a certain amount of responsibility for taking reasonable steps to assure its security. AFAIK, there were alerts and patches put out some time ago, so Microsoft's culpability is mitigated greatly, but even if there were not, it is too much to expect companies to accept liability for bugs in there software. Now, if MS had known about the bugs but kept that information quiet, that would be different.
--CTH
--Got Lists? | Top 95 Star Wars Line
IMO. DMZs with good firewalls, monitoring outbound as well as inbound... Laws mandating it. Switching to Linux is not the answer, as much as I like open source, because it too can be attacked (just not as easily, and the same user problems could exist there as well). Good firewall design is the only way, and I think that anyone with internet server of any kind should use some sort of firewall. at least for monitoring...
Sig: Tell all your friends NOT to download the Advanced Ebook Processor:
LedgerSMB: Open source Accounting/ERP
"Security patch? Yeah, I just downloaded it from Norton!" and
"Backup? What if I don't have a backup?"
The problem, IMO, is that servers should be administrator friendly and transparent. They should make the administrator part of the process. In this way, I think that UNIX is a better OS for servers than NT.
Contributing factor: how many questions on the NT4 MCSE covered security or disaster recovery?
Sig: Tell all your friends NOT to download the Advanced Ebook Processor:
LedgerSMB: Open source Accounting/ERP
Sorry, its been about 5 years since I had any MS software in my possesion.
the question for the lawyers is if the negligence is to the point that they are in breach of their portion of the EULA
Yeah, Under the trade descriptions act (in the UK anyway) a product has to be fit for the purpose sold. IIS is not fit for serving web pages, due to the huge security holes. Yeah, patches can fix this, but the purchased product is not fit for the purpose it was bought for. Plus, I have seen a few systems where patches for the CGI Decode bug are not effective. A full refund would then definately be in order. It would be interesting to see what happens if a case is ever brought to court.
This is an interesting point. Can MS be held responsible for holes and bugs in their software that cost businesses money?
MS Could say that part of running a machine connected to the internet is checking for bug fixes and applying them, and that it is the users responsiblity.
However, companies pay a lot of money for MS software, which is marketed as secure and easy to maintain.
Can anyone with an MS licence agreement tell me if they have a disclaimer absolving them from any responsiblity if their software goes wrong and costs you money, either due to downtime or data loss?
Yes, I always new Microsoft would destroy the internet one day! Either by incompetence or by... incompetence (what else?). :))
I can't figure out all this chicken little/sky is falling media coverage (well hey its yet another SCARY Internet story, but still). CNN had an article that kinda made me chuckle. It was a story on ISS founder and "worm splattering" "worm hunter" Chris Klaus. It talked about how the 'patch may not hold' What a great thing to be telling everyone. If a new version of the worm hits and spreads liek wildfire, it will be due to a new vulnerability I'd expect. Amazing how mainstream media tries to cover situations like this.
As for the real threat, I expect there will be a large # of infections tonight/tomorrow. Why? Just look at the analysis at CAIDA They found that the majority of servers infected were from domains used primarily by small businesses and residential users (@home, etc) While many of these will have patched themselves, I'm sure many just restarted when problems arose and the problem went away - problem solved. I mean that's standard MO with a Microsoft OS - if it starts acting strangely, reboot.
The good news is, perhaps ISPs have been able to put plans in place to try and block the worm from spreading. Only time will tell.
Don't get me wrong - I think publicizing this issue is a good thing. But I expect that the problem will not be as awful as the media is trying to protray (Internet slowdown, websites knocked offline, etc)
Of course on the flip side - we know that the patch won't be applied to every IIS server out there - what will be done and by who to track down and irradicate the remaining servers that are still infected or are being re infected day after day? I'd expect hte ISPs but given the service level of many DSL and cable providers - you haev to wonder if they'll all pursue this diligently unless the courts get involved (yuck)
Top Most Bizarre/Disturbing Error Messages
What's really sad is that this kind of 30 second 'news spot' does it for the majority of people. Most could care less what the details are these days. And not just on tech related news, I'm talkin' 'bout all sorts of news: political, social, worldwide, etc. Needless to say, here's just one more reason why I'm changing all my really confidential and important stuff to Linux, and I don't give my allegiance to any one large, bloated, political party.
You chuckle, but it actually says in the MSDN docs that the Windows NT family suffers from the "problem" that it doesn't fall over or have to be rebooted as often as Win9x. When applications crash out and leak memory, you don't get it back, so you really should encourage users to reboot every few days.
I put my hand on my heart and swear that this is true.
If you were blocking sigs, you wouldn't have to read this.
If there's one thing our media has taught us, it's that no technical problem takes more than 60 seconds of random typing on a laptop to solve, as long as there are enough A list stars, guns and blowjobs involved.
If you were blocking sigs, you wouldn't have to read this.
Will the internet route arround trouble like this Virus may cause... That's debatable. I'm sure there's enough Cisco gear out there to cause some major issues... However, people may be (sic) stupid enough not to patch their IIS boxes (let alone run them at all!) but watch how fast ISP's kick customers that are causing mayhem by being infected. It's a similar situation to open relays, there are plenty of ISP's out there (at least here in New Zealand) who actively disconnect permanently connected customers with open relays. The internet as we know it has become almost a self supporting entity, the people (us) involved in any way will not stand for it to be out of service or degraded for long. Sure, we may lose a few websites in the process, but the internet as it stands will always exist. How long do you really think someone's gonna sit looking at an IIS box or Cisco router that's malfunctioning before they actually decide to remove it from the network or fix it. (or someone decides it shouldn't be part of this global network for them!). -- Stop listening to that rock! http://www.nuenergy.co.uk
-- Stop listening to that rock. http://www.nuenergy.co.uk
The Entire Internet uses IIS??
[alk]
If I didn't know any better, I'd think Code Red and similar viri are the product of conspiracy put into place by pointy-heads of management-types to keep us from our Constitutional right to goof-off ! !
healyourchurchwebsite.com - WWJB?
Yeah, see my earlier comment about blowing a chance to make millions.
healyourchurchwebsite.com - WWJB?
Darn ! If I would have known this issue was going to recycle, I would have modified some old Y2K tripe with "Code Red" stuff, bought some time on some religious broadcasting network and made beacoup dollars peddling fear to survivalist-types.
healyourchurchwebsite.com - WWJB?
Yes, they both have some weaknesses, and yes, the aforementioned common practices apply to both. And yes, there are both good and bad system admins working on both UNIX and Windows boxes. My complaint is the simple juxtaposition of listing UNIX first in what is a uniquely IIS fault. It gives one the incorrect impression that UNIX may somehow need to be improved to make up for the Code Red attack.
Truthfully, the article is so full of "If UNIX else if Microsoft" clauses that if were an object under my control, I'd split it into two articles: one for securing UNIX and one for securing Windows.
Don't you remember 1i0n, butcher, ramen, etc... that were running around a little while ago? Those were not MS worms
has it occurred to anyone that this guy is a closet hacker himself? like the old saying, the criminal returns to the scene of the crime...what better way of getting attention? write a virus, talk about how terrible it is on TV, watch it die, lather, rinse repeat. Jboy
Umm. ColdFusion server runs on linux. Sure, you can't use studio, but the lack of a text editor's not necessarily a reason to abandon the platform. The docs are all HTML, install in windows, copy the docs over.
I thought there already was a Microsoft tax on stupid admins?
Your right to not believe: Americans United for Separation of Church and
What I propose is a GPL'd shell/python/perl script that "grep"s the apache/thttpd/whatever access log for "default.ida" requests, and logs the requesting site name/ip to a file. Sort | uniq this file for good measure, then send a friendly message to the webmaster at this site, stating at least the following points:
Running this a few times a day, and keeping track of the sites that we've mailed already to avoid duplicates, should give semi-awake (i.e. reading mail, but not patching their system regularly) IIS admins some friendly help.
What do you think?
Apparently this guy saw it coming.
--
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
I hate to criticize .NET since I am by no means the expert on the subject. Think about if .NET actually succeeds. Every PC, PDA, cell phone, and dog collar will be running a Microsoft OS and accessing its data over .NET. What happens when the .NET version of Code Red comes out? What then? All my data is wrapped up in .NET. Everything I do is on a server somewhere but the wireless .NET is too bottlenecked for me to get to it. It's a sign of things to come. Companies put many $$ into Microsoft software and constantly have to upgrade to keep a virus from systematically destroying their entire network. When are people going to get the hint that despite all their propoganda, Microsoft is not good for anyone.
There is no reasonable defense against an idiot with an agenda
:wq
I saw the "special report" on CNN this morning. Pretty standard stuff for a non-technical news show but what was funny (or disturbing, depending on your take) was when the "technology expert" said that "a simple re-boot" would solve the problem in the near-term. He went on to say that regular reboots (on your servers) are a "good idea," as it's like "cleansing your system." The host agreed and said she solveds all her computer problems with a reboot :).
They took a while to explain that only Windows NT/2000 are at risk while Windows 98/Me are not. No mention of any other alternatives besides Windows of course (I guess that's too much to ask :). Of course what I can't believe is that they're still talking about this! Are there that many admins that still haven't patched this?
- j
Other than that, quite an interesting article ;).
-- Is "Sig" copyrighted by www.sig.com?
A class action against Microsoft would be appropriate, in that it is a defect in a Microsoft product that made it possible. The class action should be led by non-Microsoft users impacted by the problem, so EULA issues are irrelevant.
Where's the plaintiff's bar when you need them?
Don't forget, Steve Gibson is the guy who managed to make a 13 year old kid in a chat room, writing code that opens a socket, sends a few IRC commands (the hardest being the Ping/Pong set) and accepts a few commands sound like some sort of Big Black Voodoo Priest, sitting upon a throne carved from human bone, piecing together zombies from heaps of human corpses and sending them out to do his evil work.
Vintage computer games and RPG books available. Email me if you're interested.
If you go here: http://www.microsoft.com/technet/security/search/b ulletins.xml you'll find a lovely XML doc which lists hotfixes going back, I believe, to 1998, what they apply to, what they're superceeded by, and so on.
If you look for 'hfcheck' on the ms sites you'll find a lovely little WSH script that grabs this bulletin, and uses WMI to check servers and tell you what needs to be installed. It defaults to only checking for IIS patches, but that is easily fixable.
Vintage computer games and RPG books available. Email me if you're interested.
There are a few points of interest here:
"We all say so, so it must be true!"
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
then at least I would know that it didn't apply to any of my servers. Instead, I have to read through a few paragraphs of crap before it gets to the "IIS security flaw" line.
Analogous to real virii and worms, Those that destroy their host too quickly dont spread.
Those that dont spread die off.
Making a system unbootable doenst destroy the data on the harddrive. But if the data on the harddrive is destroyed- the admin will reboot.
The computer is now offline and the worm gets no more opportunities to spread.
A common way to overcome this is to set a logic bomb: have the worm set a cutoff date after which it becomes destructive. The problem with this approach is that it allows people time to patch their systems.
A good compromise would be to make the system unbootable immediately- with a boot loader that wipes the harddrive. Then set a logic bomb with a cutoff date after which data gets deleted.
Its tricky though. A good twist may be to rearrange some dll's in the filesystem- to cause patches to fail. Also setting up a backdoor vector for reinfestation. Then at least 3 subtly different versions would have to be released simultaneosly.
Its a lot harder than it sounds. And not worth it really.
... and a card with our Condolences to mark the death of his "child".
As the previous writer clearly stated, and you clearly missed, this is just not the case with IIS. Since IIS has LESS marketshare then Apache one would expect Apache to have this kind of problem and not IIS, but it doesn't (All of which the previous poster stated).
Part of the reason Windows is so widespread is because Windows is stable (in an API sense, and in a reliability sense as far as W2K is concerned), and easy to write for
You mispelt "Part of the reason Windows virii are so widespread...."
Which you would have partially correct, but mostly wrong. W2K is MORE stable than previous Windows, yes, but no where near as stable as the traditional Unixes. Windows API could NEVER be described as stable since upgrading Windows almost always breaks something important (my CD burner, for example, which works in OS X, but not WinME). This is the reason many people are still on NT4 SP3/4. If they move up to SP6 or W2k, something important breaks. This is a big reason why Windows is taken down so much. The other part you addresses with the "easy to write for" comment. VB is easy to learn (compared to Unix scripting) and can be learned on a desktop machine before one begins coding for IIS. You can use VB for all sorts of things, including scripting the breaking into of systems, so that some 9 yr old on AOL can breaking into WIndows machines all day long...
Burn Hollywood Burn
Media here told the public Code Red would infect all computers. They simply ignore the fact that Code Red infects only IIS 5 server.
A local lead moron - the president of Hong Kong Computer Society, a branch of British CS, told the public that in order to protect yourself from virus, we all should update the latest virus signature and do not swith on computers. I'm sure all their members would feel shame of their president's cluelessness.
Scott Adam is right, idiots, morons and clueless people are defining the reality.
Turn a non-tech hobby into your career.
--
[baptiste@surfboard httpd]$ tail -f access_log | grep .ida
136.176.193.29 - - [31/Jul/2001:17:10:49 -0400] "GET /x.ida?AAAAAAAAAAAAAAAAAAAAAAA[lame filter snip]AA=X HTTP/1.1" 404 280
136.176.193.29 - - [31/Jul/2001:17:12:42 -0400] "GET /x.ida?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[l ame filter snip]AA=X HTTP/1.1" 404 280
Should be an interesting evening. Intersting that I got hit twice from teh same IP a few minutes apart
Top Most Bizarre/Disturbing Error Messages
Turns out that this signature is probably from the eEye CodeRed scanner to identify vulnerable hosts. Interesting that they seemed to show up after 5PM from various places.
Top Most Bizarre/Disturbing Error Messages
If the Internet Ceases, then society will regress to the point when you can only create pr0n from whatever scraps you can find in the dilapidated ruins of New York City.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
Along the same lines, am I the only person who has a problem with Cringley? After watching his PBS show about building an airplane in thirty days, I was convinced the guy has more money than brains, and that his infamy is due more to who he knows than what he knows.
www.lucernesys.comHorizon: Calendar-based personal finance
IIS: It Isn't Secure.
.NET later. That one's a very good reason. If the world DOES jump on .NET bandwagon would you like to stay behind( don't think '.NET port to Linux')? Could be very bad for business. On the other hand, if .NET doesn't work out, you can always jump to Apache.
.NET.
But no, really I can tell you why IIS is still a choice as a web server, and also I'll tell you why it is so insecure.
(WARNING: As Always, IMHO).
IIS is still a choice because:
a) You can teach virtually anyone to perform simple administration on an IIS server.
b) You don't need to use a command prompt (no, it doesn't really scare people, they just tend to believe it's such a fuss to make things work.)
c) It comes with Windows 2000/NT (if you had a choice to 'Run Your Very Own Web Server(R) while running MS Office and games, without having to boot to another OS, what would you think would be better?).The fact that It's There(r), is also extremely important;otherwise, people who had to use a Windows server would use Apache for Win32 instead.
d) It's a breeze to install and enable (incorrectly of course;there are plenty of configing and patching you can do on IIS to make it safe/er, but no-one seems to bother:'Who whould try to hack ME?')
e) It means that it'll be easier for you to migrate to
Now, why IIS is insecure:
a) Do you remember how long it took Microsoft to realise the Internet was going to be the next big thing? That hurt them. Sure, they did release a web server (their lamest ever --IIS 2.0), but it was behind its time.IIS 4.0 was their first proper attempt, and while it worked, Microsoft had a lot to learn about security. They had to release patches constantly to help the poor early-adopters (nobody new it was going to be so open), which unfortunately, were quite a lot.IIS continued to grow, as it fitted the bill as a method to extend businesses with a Windows/NT infrastructure to the Internet. So, now we have 20% of the Internet, running IIS.
b) IIS is also insecure because 50% of it's sysadmins are idiots. 50%, not all of them, not none of them. 50% . Now, if you pushed a *nix sysadmin to run IIS (you would have to push real hard though), you would get a web server (being configed and patched correctly) which would totaly evade most (if not all) of the IIS hacking frenzies and DoS attacks of the past 2 years. Including Code Red (the MS patch for that buffer overflow buf was published a few months ago.The wise IIS sysadmins noticed.).
c) Remember, IIS is young. It's about 6-7 years old, but it wasn't taken seriously since Windows NT 4.0, 4-5 years ago.As with Windows 2000, the time for IIS to become a proper,feasible solution is longer than that. And isn't Apache much older (please enlighten)?
And how will IIS become secure?
IIS 6.0 will be the first IIS to be reasonably secure, IMHO of course. Because it will incorporate all the fixes until now (quite a lot, shouldn't they be running out of bugs?) , but most importantly because it will patch itself (that's what I heard anyway).
Now for your opinion: Will IIS 6.0 be a proper web server? Think about it and don't reject it: There wasn't a single reason to consider it if you were happily running the latest version of Apache, but now there is:
Think, think, and then post. And please correct me if I'm wrong.Thank you.
Oh and some things I'd like to point out, because some people get it wrong:
a) When you install Windows 2000 OR WinNT 4, it won't install IIS.Not even with full install. You have to install it separately AFTER the OS installation is complete, so people know when it's installed.
b) The Internet won't cease to exist, and this isn't a conspiracy by Microsoft (probably).
There is no such thing as 'world peace'.
Cringely tells us that the true threat is servers with mis-set clocks
No, Cringely mentions 2,000 IIS servers that are still in "infection" mode because they have misset clocks. The real "problem" is that disassembly of the worm indicates that it might have a monthly cycle, instead of being a one shot wonder; y'know, when the other x00,000 IIS servers join in again.
I got the following mail from MS yesterday. (The ironic part is I initially was suspicious because the subject line was in all caps -- how rude!)
l easeID=30833
l easeID=30800
. asp?
url=/technet/itsolutions/security/topics/codeptch. asp
l t. asp?
url=/technet/security/bulletin/MS01-033.asp
The following is a Security Bulletin from the Microsoft Product Security Notification Service.
Please do not reply to this message, as it was sent from an unattended mailbox.
-----BEGIN PGP SIGNED MESSAGE-----
The Microsoft Security Response Center, along with other organizations listed below, is jointly publishing this alert that ALL IIS ADMINISTRATORS ARE ASKED TO READ
A Very Real and Present Threat to the Internet: July 31 Deadline For Action
Summary:
The Code Red Worm and mutations of the worm pose a continued and serious threat to Internet users. Immediate action is required to combat this threat. Users who have deployed software that is vulnerable to the worm (Microsoft IIS Versions 4.0 and 5.0) must install, if they have not done so already, a vital security patch.
How Big Is The Problem?
On July 19, the Code Red worm infected more than 250,000 systems in just 9 hours. The worm scans the Internet, identifies vulnerable systems, and infects these systems by installing itself. Each newly installed worm joins all the others causing the rate of scanning to grow rapidly. This uncontrolled growth in scanning directly decreases the speed of the Internet and can cause sporadic but widespread outages among all types of systems. Code Red is likely to start spreading again on July 31st, 2001 8:00 PM EDT and has mutated so that it may be even more dangerous. This spread has the potential to disrupt business and personal use of the Internet for applications such as electronic commerce, email and entertainment.
Who Must Act?
Every organization or person who has Windows NT or Windows 2000 systems AND the IIS web server software may be vulnerable. IIS is installed automatically for many applications. If you are not certain, follow the instructions attached to determine whether you are running IIS 4.0 or 5.0. If you are using Windows 95, Windows 98, or Windows Me, there is no action that you need to take in response to this alert.
What To Do If You Are Vulnerable?
a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection:
Install Microsoft's patch for the Code Red vulnerability problem:
- - Windows NT version 4.0:
http://www.microsoft.com/Downloads/Release.asp?Re
- - Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?Re
Step-by-step instructions for these actions are posted at
http://www.microsoft.com/technet/treeview/default
Microsoft's description of the patch and its installation, and the vulnerability it addresses is posted at:
http://www.microsoft.com/technet/treeview/defau
Because of the importance of this threat, this alert is being made jointly by:
Microsoft
The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
SANS Institute
Internet Security Systems
Internet Security Alliance
Talk about FUD - here's a quote, from Scientific American, no less: "Imagine a cold that kills. It spreads rapidly and indiscriminately through droplets in the air, and you think you're absolutely healthy until you begin to sneeze. Your only protection is complete, impossible isolation,"
WOW! That sounds awful! Run for the hills!
But wait - imagine that a vaccine for the cold has been available for months. You could get vaccinated just by logging into a website.
Oh, and once you're infected, all you need to do is take a nap (ie. reboot) and you're healthy again.
What a load of scare-mongering. SciAm should know better.
I suspect this is the cure.
Best Slashdot Co
If any Mozilla developers are listening, I have a request. I'd like a version which displays a visible icon everytime I log onto a IIS server. Then, if I double click the icon, it could list a selection of 'counter measures' such as CodeRed which I might deploy. These might use a plug-in architecture and be downloadable from sites using other browsers.
Thanks for listening.
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
Perhaps this could be a monthly competition. Assuming, of course, that anyone can get through the infection storm to post to it.
Oh, and I'd like to propose a name for the inevitable next worm that just won't die - The Lazarus Worm. Cool, eh?
Why then is this threat suddenly everywhere?
They're FUDing the Net!
The logic is simple. Business wants a new manageable internet. First, prove to the world that end-to-end is broken. Then, advance proposals to fix it.
Waiting for the other shoe to drop. . .
Can you think of a better marketing ploy to make your soft drink sound hip and edgy and get the name plastered all over the media? This could be even better for free publicity and name recognition than the Verizon strike.
Vote today for Dilbert's list of Top 869 Things Programmers Are Least Likely To Say.
Sorry, but Apache mostly runs on *nix systems... anything from Linux to Solaris to FreeBSD.
Why don't you try writing a virus or worm that knows enough about each of the various *nix OSes, and the versions of Apache they are running, to infect them all.
Part of the reason Windows is so widespread is because Windows is stable (in an API sense, and in a reliability sense as far as W2K is concerned), and easy to write for.
Part of the reason Microsoft has so many hackers and skr1pt k1ddi3s after them is because Windows is so wide spread.
-- russ
Natural != (nontoxic || beneficial)
Gimme a break.
Stevie boy is very insane, but he generates hype, which generates headlines, which makes the media look good. So wake up you government and corperate morons. The world will not come to an end. And steve gibson is not the prophet of the internet world.
It's funny that everytime a Windows worm/virus propagates and (of course) Linux and other UNIX are not affected, it's just because they don't have much market share and nobody bothers writing a virus for an OS like Linux. Now, it's IIS that's being hit. If it were only about market share, Apache would get twice as much virii/worms as IIS, right? Maybe the most important factor after all is the number of security breach in a product and not market share.
Opus: the Swiss army knife of audio codec
While I'd agree that he may be overly paranoid, I do share the opinion that the internet is extremely vulnerable right now, although not necessarily for the reasons he states.
I am not a professional security expert, but I do know my fellow computer users. They will take convenience over security every time until something Really Bad happens to their system. Then they will pay money to solve the problem, be alert for several months, and gradually relax as the problem doesn't reappear. Their knowledge of security may extend as far as knowing to update Norton Antivirus every once in a while.
We are fortunate that most virus writers are not the most skilled programmers in the world. Or, perhaps more likely, they have restrained themselves in order to avoid completely destroying their playground.
Think about this for a minute. It is easy to conceive of ways in which much more damage could be done to the internet than has already been done. If I recall correctly, the ILOVEYOU virus deleted jpgs from hard drives. The worst results I am aware of from this is a commerical image database being wiped out. Now, imagine what would have happened if dlls had been attacked as well. Unbootable computers, applications and system software destroyed beyond repair short of total reinstall, etc. Most Windows machines out there have no file permissions system set up. NT does, but how many DOS based systems are still out there, and still hold critical work?
The problem with security is not that we don't know what to do. The problem is that so many of us don't do anything. That is what alarms Gibson, and in that he is correct. There are so many machines not being properly managed that damage is inevitable. And all of us are impacted by this in one way or another, unless everyone you deal with has good security. If that is true, you are lucky. For me, it is not.
Up until now, we have delt mainly with simple scripts whose workings are obvious. However, here is some food for thought. Microsoft's servers are not invulnerable. Like any complex system, there are undoubtedly subtle and potentially dangerous bugs in the Windows code which will be obvious to anyone who can steal the source from the servers. If someone with or even without this code writes a truly powerful virus which attacks hundreds of subtle vulnerabilities simultaniously, knows how to hide the code in the depths of Windows, and destroys any system it can after reproducing itself, we are in deep S**t. Right now, most virus attacks involve the active cooperation of the email system - minimally some end user opening an attachment. So the measure of how widespread a virus becomes is often based on how many suckers read it. This is not, as it turns out, a big problem for the virus - it is easy to come up with email titles people will want to open. But if you remember the worm of 88, it didn't require the end users cooperation at all. What happens when all that is needed for a machine to die is for it to connect to the network unpatched? Imagine the chaos of half a million machines with all their work, programs, and system software gone. Gibson may have a right to be paranoid.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
At 5:15 AM.
In the morning.
From my mother.
She had just seen the FBI guy on TV and was worried her windows 98 machine would destroy the world over her dialp connection.
I informed her that this was unlikely, and went back to bed.
I demand a million helicopters and a DOLLAR!
All you have to do is:
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft